CVE-2024-41336
📋 TL;DR
Draytek routers store passwords in plaintext instead of using secure hashing, allowing attackers with access to the device's storage to read sensitive credentials. This affects multiple Draytek Vigor router models running outdated firmware versions. Organizations using these vulnerable devices are at risk of credential theft.
💻 Affected Systems
- Draytek Vigor 165
- Draytek Vigor 166
- Draytek Vigor 2620
- Draytek Vigor LTE200
- Draytek Vigor 2860
- Draytek Vigor 2925
- Draytek Vigor 2862
- Draytek Vigor 2926
- Draytek Vigor 2133
- Draytek Vigor 2762
- Draytek Vigor 2832
- Draytek Vigor 2135
- Draytek Vigor 2765
- Draytek Vigor 2766
- Draytek Vigor 2865
- Draytek Vigor 2866
- Draytek Vigor 2927
- Draytek Vigor 2962
- Draytek Vigor 3910
- Draytek Vigor 3912
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the router, pivot to internal networks, intercept traffic, and compromise connected systems.
Likely Case
Local attackers or malware on the network extract passwords, leading to unauthorized router configuration changes or credential reuse attacks.
If Mitigated
With network segmentation and strict access controls, impact is limited to the router itself without lateral movement.
🎯 Exploit Status
Exploitation requires access to read stored password data, which typically means having some level of access to the device already.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by model: Vigor 165/166 v4.2.6+, Vigor 2620/LTE200 v3.9.8.8+, Vigor 2860/2925 v3.9.7+, Vigor 2862/2926 v3.9.9.4+, Vigor 2133/2762/2832 v3.9.8+, Vigor 2135/2765/2766 v4.4.5.1+, Vigor 2865/2866/2927 v4.4.5.3+, Vigor 2962/3910 v4.3.2.7+, Vigor 3912 v4.3.5.2+, Vigor 2925 v3.9.6+
Vendor Advisory: http://draytek.com
Restart Required: Yes
Instructions:
1. Identify your router model and current firmware version. 2. Download the appropriate firmware update from Draytek's support site. 3. Upload and apply the firmware update through the router's web interface. 4. Reboot the router to complete the update.
🔧 Temporary Workarounds
Change all passwords after patching
allSince passwords were stored in plaintext, change all router passwords after updating to ensure any previously exposed credentials are invalidated.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable routers from critical systems
- Enable multi-factor authentication if supported and monitor for unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check your router's firmware version via the web interface (System Maintenance > Firmware Information) and compare against the fixed versions listed in the advisory.Check Version:
No CLI command available - use web interface at System Maintenance > Firmware InformationVerify Fix Applied:
Confirm firmware version matches or exceeds the patched version for your specific model, then verify passwords are no longer stored in readable plaintext formats.📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration changes
- Multiple failed login attempts followed by successful login from unusual IP
Network Indicators:
- Unexpected router configuration changes
- Unusual outbound connections from router
SIEM Query:
Example: (device_vendor="Draytek" AND event_type="configuration_change") OR (device_vendor="Draytek" AND authentication_result="success" FROM new_ip)